[翻译]Understanding virus names

2008-11-25 13:39 4096

[翻译]Understanding virus names

2008-11-25 13:39
[I]Understanding virus names[/I]

By Mary Landesman

Antivirus vendors generally assign virus names consisting of a prefix, the name, and a suffix. Not all vendors follow this convention, however, and even those who do may sometimes use different designators. When attempting to find information about a particular virus, it can be helpful to understand how the names are formed.

反病毒厂商通常指定由由前缀,名称,和后缀组成的病毒名。不是所有的厂商都遵从这样的约定,有时还会使用不同的 指示符。当尝试找到某一特定病毒的信息时,理解病毒名称的构成是有益的。

The prefix 前缀

The prefix (when used) identifies the type of virus or malware it is. W32 or Win32, for example, denote that it is a Windows 32-bit infector and thus impacts Windows 95, 98, 2000, 2003, XP, Me, NT 4.0. Those that impact only Windows 95/98 often have prefixes of W95. Other vendors apply prefixes that are more indicative of the type of threat, rather than the platform it infects. For example, a TROJ prefix implies the file is a Trojan Horse, an I-Worm prefix indicates it is an Internet/email worm, and OM signifies that it is a Microsoft Office macro virus.

前缀标识病毒或恶意程序的类型。例如,W32 或 Win32 说明程序是WINDOWS 32 位感染程序,因此会影响Windows 95, 98, 2000, 2003, XP, Me, NT 4.0。那些仅仅影响Windows 95/98的病毒通常以W95作为前缀。其他厂商使用能够更加形象的表示威胁类型的前缀,而不是它感染的平台类型。例如,TROJ前缀说明文件是一木马程序,I-Worm前缀表示 蠕虫,OM 指示程序为Microsoft Office宏病毒。

W97M, WM, X2KM are other examples of macro virus prefixes that denote both the fact that it is a macro virus and provides clues as to what versions of Office (or products within Office) are impacted. For example, an X2KM prefix in a virus name indicates that it is a macro virus impacting the Office 2000 version of Excel.

W97M, WM, X2KM 是宏病毒前缀的其他例子,他们既说明了程序为宏病毒 的事实,又提供了病毒影响的OFFICE 版本的信息。例如,病毒名中的X2KM 前缀显示它是一个影响Office 2000 version of Excel的宏病毒。

The prefix is usually separated from the name by an underscore, a period, or a slash.


The name 名称
Following the prefix is the actual name of the malware. For example, W32/Bagle has a prefix of W32 and the worm itself is dubbed Bagle.

紧接前缀的是恶意程序的实际名字。例如,W32/Bagle 有一个为W32的前缀和被称为Bagle的名字。

The suffix 后缀
Many viruses belong to the same family but are slightly different. To differentiate between these variants, antivirus vendors assign an alphabetical suffix. The original virus (or worm, Trojan, etc.) generally does not have a suffix assigned until after further variants of the same threat are discovered. For example, W32/Bagle became W32/Bagle.A after the 'B' variant was discovered.

许多属于相同家族的病毒有一些细微的差别。为了区分这些变体,反病毒厂商分配一个 字母顺序的后缀。在相同威胁的变体被发现之前,原始的病毒通常不会有被分配的的后缀。例如,W32/Bagle在变体B被发现之后变为W32/Bagle.A

Subsequent variants are assigned descending letters of the alphabet, i.e. Bagle.A, Bagle.B, Bagle.C through to Bagle.Z. When the end of the alphabet has been reached, the count starts over. Thus, following Bagle.Z will be Bagle.AA, Bagle.AB, Bagle.AC, etc. The third pass through the alphabet would begin with Bagle.BA, Bagle.BB, Bagle.BC, etc. This will repeat as many times as necessary. As of October 2004, the prolific Gaobot variants had reached W32/Gaobot.BOW.

后面的变体会被分配字母表中后面的字符,例如,Bagle.A, Bagle.B, Bagle.C 直到 Bagle.Z。当到达字母表结尾的时候,记数重新开始。因此,紧接Bagle.Z 将是Bagle.AA, Bagle.AB, Bagle.AC, 等等。第三次穿过字母表将从Bagle.BA开始,Bagle.BB, Bagle.BC, 等等。这一过程将重复需要的次数。2004年10月,prolific Gaobot变体已经达到了W32/Gaobot.BOW。

The suffix is generally separated from the virus name by either a period or a dash.

The modifier 修饰符
Some vendors also add a modifier after the suffix that further describes what type of malware it is. For example, @mm signifies a mass-mailing email worm and @dl is used by some to designate a downloader.

一些厂商还会在后缀的后面加上修饰符,用来进一步说明恶意程序的类型。例如,@mm表明一个 mass-mailing 邮件蠕虫,@dl 被用来说明一个下载者(downloader).

Using the above information, we can quickly see that W32/Bagle.BB@mm is a Bagle variant that is a mass-mailing email worm impacting Windows 32-bit systems.

使用上面的信息,我们可以快速识别 W32/Bagle.BB@mm ,它是一个 Bagle变体,一个大规模邮件蠕虫,影响Windows 32 位操作系统。

One virus, many names 一个病毒,很多名字
It's one thing to understand how the name is constructed, but what if you are looking for information on the threat? It's important to remember that different vendors assign different names to the same virus. Thus when searching for information on a particular virus, it is imperative that both the vendor and the virus name be referenced.


For example, if using a search engine to find information on Bagle.AT, make sure you also include the name of the vendor that identified it as such. Otherwise, a generic search on Bagle.AT could lead you to information that did not pertain to the particular virus your antivirus software had identified. What Trend Micro calls WORM_BAGLE.AT is W32/Bagle-AU to Sophos, W32/Bagle.bb@mm to McAfee, Win32.Bagle.AQ to Computer Associates, and I-Worm.Bagle.at to Kaspersky. Antivirus vendor Symantec not only considers it a different variant, they also have assigned a different name to the worm family. Instead of Bagle, Symantec persists in calling the family Beagle, thus the Bagle.AT variant used in this example is W32.Beagle.AW@mm to Symantec.

例如,如果使用搜索引擎寻找关于Bagle.AT的信息,确信你已经包含了将病毒标识为特定名称的反病毒厂商的名字。否则,一般的搜索将会把你带到不属于你的反病毒软件已经标识出的特定病毒的信息。被Trend Micro 命名为 WORM_BAGLE.AT 的病毒被 Sophos命名为 W32/Bagle-AU, 被McAfee命名为W32/Bagle.bb@mm, 被Computer Associates命名为Win32.Bagle.AQ, 被Kaspersky命名为I-Worm.Bagle.at。


[公告][征集寄语] 看雪20周年年会 | 感恩有你,一路同行

最新回复 (1)
ufozhyufo 3 2008-11-25 13:47
Antivirus vendor Symantec not only considers it a different variant, they also have assigned a different name to the worm family. Instead of Bagle, Symantec persists in calling the family Beagle, thus the Bagle.AT variant used in this example is W32.Beagle.AW@mm to Symantec.留给读者翻译吧...
登录 | 注册 方可回帖